Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info 66
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
Re:Overreaction... (Score:4, Interesting)
Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.
Re:Overreaction... (Score:4, Insightful)
No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.
That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.
Re:Overreaction... (Score:4, Informative)
Maybe they move away at that point, but you've already got some pretty serious problems.
Yes, and if you're using plain text password transmission, game over.
The door lock to security analogy of this goes: When the thief twists your door knob to see if it's locked, if you didn't lock it, game over. From the street or some distant spot on the network, everything looks the same. It's ONLY when you attempt to open the door or look at the packets that you find out whether the locks are in use.
Getting to the point that they can see your packets (for many hackers) is as easy as walking up to your front door. On the Internet, it's as easy to walk up to your front door as it is to walk up to the front door of someone in another country. In fact, some hackers walk up to a LOT of front doors to find one that is not locked.
The analogy still works. Those serious problems that you are talking about have always been there. Every cable subscriber in the USA probably has 14 people looking at their front door to see if it's locked. Remember, hackers are not all script kiddies. It only takes one trojan to sit there and monitor the whole neighborhood looking for somewhere else to live and scoop passwords. Aunt Ethel on the corner doesn't know much about computer security, so her pc is the one monitoring your packets. See how this goes?
In this case, you do lock the doors because you are ALWAYS expecting people to try to get in. period. that's juts how it is.
Re: (Score:2)
Bollocks. As long as I'm using a wired service using my trusted ISP, then I would be pretty safe against any attacks on my IP packets. Not so with an open door, everybody can walk in. And even if I'm just using unsecured wifi, I don't think many hackers will physically go out of place just to hack my Yahoo account. Then there is the gain to be had, which is a lot less. Also less risk, but the comparison is completely flawed, whichever way you look at it.
Then again, SSL is certainly to be preferred.
Re: (Score:1)
Re: (Score:2)
But no https... (Score:5, Insightful)
Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.
Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.
Re:But no https... (Score:4, Insightful)
I don't agree. Maybe for webmail and other web-based authentication schemes, but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
Re:But no https... (Score:5, Interesting)
but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network, and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?
Re:But no https... (Score:5, Interesting)
"and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?"
a man by the name of dan egerstad http://it.slashdot.org/article.pl?sid=07/09/11/1730258 [slashdot.org]
apparently, because pop transactions are in the clear, sophisticated government users have used the onion router network to encrypt the traffic and allow remote pop logins.
all you need is to get wireshark, and a nice high speed connection and start running yourself an onion router, it's amazing what you'll get...
as far as the government being able to read e-mail, well, that doesn't sit well with me either. since when can we trust 'big brother' the government? the same government that wasted billions of dollars on haliburton no bid contracts that resulted in substandard work when anything was done at all?
Re: (Score:2)
What does allow remote pop logins have to do with (quoting from my original message) "packets stay within the ISPs private network"?
Re: (Score:2)
if the government cant prevent users from doing remote logins using TOR network technology, then why do you assume anyone is going to prevent power users from finding ways to get remote e-mail access that is by policy denied? that was my point.
Re:But no https... (Score:4, Informative)
How is this different to sniffing passwords from unencrypted http-based logins?
Just go to your local coffee shop with open wireless and sniff the wireless there.
Re: (Score:2)
Just go to your local coffee shop with open wireless and sniff the wireless there.
But that's not within the ISP's network.
Re: (Score:2)
Exactly. You were the one who made the original assertion about POP packets remaining within the ISP's "private" network. I pointed out that many people use unencrypted wireless sessions at public locations, which tends to refute your point.
So, what's your point?
Re: (Score:2)
made the original assertion about POP packets
I said "the vast majority of those packets stay within the ISPs private network", because I acknowledge that you can usually access pop servers from outside the private network. (That's how I continued to read my email while evacuated for Katrina.)
Re: (Score:2)
And no-one uses POP servers other than their ISP's right? Oh, but you can also access Yahoo mail through unencrypted POP, and there are perhaps hundreds of thousands of businesses whose users check their email over unencrypted POP.
So, we have:
* Users POPing t
Re: (Score:2)
Most mail providers don't support SSL for POP or IMAP, in fact I've never seen secure pop or imap.
Re: (Score:2)
Re: (Score:2)
Pick better companies. We're a very small web hosting company, for instance, and we provide secure POP3 and IMAP.
Re:But no https... (Score:4, Insightful)
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption
Considering a *lot* of users use passwords primarily on the Internet, this statement is incorrect.
Any website that requires you to log in, and does not use https/ssl or HTTP digest access authentication will be sniffable.
AFAIK, hotmail, yahoo and gmail, amazon, ebay all allow users to log in via http - that's probably 90%+ of your users vulnerable right there.
Just to put this in perspective - this may be a backwards step for Yahoo Mail users per. se. but isn't really much worse than your average user logging into a bunch of other websites with the same password anyway.
Re: (Score:2)
Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it. I was trying to move someone from Outlook Express to Thunderbird, but she'd forgotten her IMAP password (auto-saved). Had a dig around in the registry, found the entry, but couldn't work out how to recover it (in about 5 mins of trying). So just installed Wireshark, and sniffed her packets while she logged into her mail from OE. (Luckily, her setup wasn't using SSL.)
Re: (Score:1, Offtopic)
This might be hard to believe but less than ten years ago virtual all passwords were transmitted in plain text.
This just in: man wakes from 10 year slumber to find that the internet has changed and no one cares about Monica Lewinsky anymore. Story at 11.
Re: (Score:3, Interesting)
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?
Re: (Score:2, Funny)
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?
You give the general pubic to much credit or are you joking?
Like Joe Average is going to care... (Score:5, Insightful)
I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?
If you can't trust your upstream provider you should be using someone else anyways.
Re: (Score:1)
I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.
Re: (Score:3, Informative)
I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.
gmail is more secure, it actually requires SSL to connect to the IMAP & POP servers (Yahoo! doesn't support SSL on its IMAP servers).
Re: (Score:1)
I agree, the average Joe uses their street address, their birthday or their children's names as their password and use it everywhere. You don't have to intercept their password to hack it if you really want to. That being said, because they use the same username/password e
Re: (Score:2)
Yeah don't get me wrong, I think security is a big issue, but I (we) are not Joe Average.
I got KDEWallet to store my passwords, use different passwords different places, and if the site is just slightly shady I use different login compared to my default (splab).
A good example of forcing security (I think) is the way we handle pin codes at work (used for signing in on your phone). Rather than using a 4 digit code we require a 5 digit and suggest they should not use any part of their credit card pin. Now we c
Re: (Score:2)
Re: (Score:2)
Mix it up with something known, yeah someone knowing the procedure would still be through, but as you said, it beats nothing.
However, still not a good solution.
Re: (Score:2)
Not significant? (Score:1)
I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
Re: (Score:2, Insightful)
I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.
Switch to web interface THEN change the password (Score:3, Informative)
After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)
That said, the friends and relatives probably use machines running key loggers anyway.
Re: (Score:1)
It's a tricky one (Score:2)
Google vs Yahoo. Evil ... or stupid?
You get what you pay for. (Score:1, Interesting)
I have never liked the concept of free E-mail. Like Robert Heinlein said, TANSTAAFL.
This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.
I will sound like a MS shill here, but this something I like about MS Exchange. The POP3, IMAP, and OWA services can all be configured to be SSL/TLS only. I know that with an Exchange hosted pr
Re: (Score:2)
Nice you have an opinion, now where is your analysis? I like having the same email after 8 years and changing 5 different isps and 4 different jobs. The spam filtering works reasonably well and I have access to old emails from the entire period. I can get to my email any time/any where. I can count on one hand the number of times the service wasn't available.
I like yahoo mail.
Re:You get what you pay for. (Score:4, Funny)
When I signed up for DSL service, it was with SBC Yahoo! DSL, you insensitive clod!
Re: (Score:2)
"This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy."
Guess what? More and more "paid ISPs" are cutting costs and decommissioning their mail servers in favor of Google Apps/Gmail. ISP.com, for example, is currently switching their users over.
How about (Score:2)
time to switch to Linux, go back to the web interface, and change passwords?
Well, desktop Linux has to come one way or another. Haven't you guys heard of guerilla tactics?
This will be fixed in the next version. (Score:5, Informative)
Re: (Score:2, Insightful)
*What* will be fixed in the next version of Zimbra; the fact that *Yahoo* allows cleartext passwords?
Cause that's not Zimbra's fault.
In fact, the *Zimbra* server-side component, while it permits you to allow clear-text POP and IMAP logins, defaults that switch to off.
What's that tag again? Badsummary?
Re: (Score:2)
Whgen is the next version coming out? Why no patches/hotfixes for the released one?
Re: (Score:2)
Whgen is the next version coming out? Why no patches/hotfixes for the released one?
Usually that's a clear sign that the problem isn't a bug, but a design flaw; they can't just patch it, because that would break things.
Yahoo inbox can be hacked ? (Score:1)
I don't have to worry because I didn't used my yahoo mailbox for any official purposes.
ah I shouldn't joke on that.
Re: (Score:2)
The thing about corporate email accounts is that they are setup by the IT department who don't let users use dodgy password recovery systems.
Re: (Score:1)
Here's a better idea (Score:2)
Don't use Yahoo.
Don't use AOL.
Don't use Microsoft, for God's sakes, or you'll never get your back emails out of it if you decide to move to another service.
Don't even use Gmail (except as a spam trap or for signing up to Web sites, like I do.)
Don't use crap in general.
Get a REAL email account - from your ISP or from your Web hosting provider - that you control, that has security, that is accessible by Web or email client. Then get a decent email client like Thunderbird. It's not rocket science.
Paging the Alaskan Governor... (Score:2)
One more reason not to use Yahoo for certain sensitive needs.
(incoming overrated's in 3...2...1...)
Trusting the Cloud (Score:1)